Help Center/ Object Storage Service/ API Reference/ Calling APIs/ Authentication/ Using Signature Generators
Updated on 2024-09-29 GMT+08:00
View PDF
Share

Using Signature Generators

OBS provides graphical tools to make it easier to generate signatures.

Table 1 Signature generators

Signature Carrying Method

Signature Generator

Using an authorization header

Signature generator

Using a pre-signed URL

Signature generator

Procedure

Use the signature generator as follows:

In an Authorization Header

  1. Open the signature generator.
  2. Enter the AK and SK. For details, see Access Keys.
  3. Configure StringToSign parameters.

    Table 2 Parameter description

    Parameter

    Type

    Mandatory (Yes/No)

    Description

    HTTP-Verb

    String

    Yes

    Explanation:

    The HTTP method used to make a request (also called an operation). For RESTful APIs, HTTP methods include PUT, GET, DELETE, and other operations. Select a method based on the API to be called.

    Restrictions:

    None

    Value range:

    • GET: Requests that a server return a specific resource, for example, obtaining a bucket list or downloading an object.
    • PUT: Requests that a server update a specific resource, for example, creating a bucket or uploading an object.
    • POST: Requests that a server add a resource or perform special operations such as initiating a multipart upload or assembling parts.
    • DELETE: Requests that a server delete a specific resource such as an object.
    • HEAD: Requests that a server return the description of a specific resource, for example, obtaining object metadata.
    • OPTIONS (not supported for signature generators): Requests that a server check whether the user has the permissions to perform an operation on a resource. CORS must be configured for the bucket.

    Default value:

    None

    Content-MD5

    String

    No

    Explanation:

    The base64-encoded 128-bit MD5 digest of the request body based on RFC 1864. This header can be used as a message integrity check to verify that the data was not tampered with in transit.

    Restrictions:

    None

    Value range:

    0–24 characters (0 included, 24 excluded)

    Default value:

    This parameter is left blank by default.

    Content-Type

    String

    No

    Explanation:

    The file type of an object—for example, text/plain—which determines what format and encoding a browser uses to read the file.

    Restrictions:

    None

    Value range:

    See What Is Content-Type (MIME)?

    Default value:

    If this header is not included in the request, an empty string is used. For details, see Table 4. If this header is contained but not specified, its value is automatically specified based on the file name extension. If the file has no extension, application/octet-stream is used by default.

    Date

    String

    Yes

    Explanation:

    When a request was made. If the value of Date is over 15 minutes away from the current server time, the server returns 403, indicating that the request is invalid.

    Restrictions:

    • The value must be a GMT in RFC 1123 format.
    • If Date and x-obs-date headers are both specified, x-obs-date applies.

    Value range:

    None

    Default value:

    None

    CanonicalizedHeaders

    String

    No

    Explanation:

    Additional headers defined by OBS that are prefixed with x-obs-, for example, x-obs-date, x-obs-acl, and x-obs-meta-*. For each additional header, separate its name and value by a colon (:). In x-obs-storage-class:STANDARD, for example, x-obs-storage-class is the header name, and STANDARD is the header value.

    Restrictions:

    1. A header name cannot contain non-ASCII or unrecognizable characters, which are also not recommended for header values. If such characters are necessary, they must be encoded or decoded in URL or Base64 on the client side, because the server side does not perform any decoding.
    2. If a header has multiple values, these values need to be written together under their shared header name, separated by commas (,). For example, x-obs-meta-name:name1 and x-obs-meta-name:name2 must be combined into x-obs-meta-name:name1,name2.
    3. You do not need to handle the case conversion or lexicographical sorting of header names, which are automatically handled by the software.

    Value range:

    Determined by the API to be called

    Default value:

    This parameter is left blank by default.

    CanonicalizedResource

    String

    Yes

    Explanation:

    OBS resources specified in an HTTP request. The structure is as follows:

    CanonicalizedResource = /bucket-name/object-name?sub-resource

    For example, if you want to call GetObject to obtain version xxx of object object-test stored in bucket-test and change Content-Type to text/plain, then CanonicalizedResource would be as follows:

    /bucket-test/object-test?response-content-type=text/plain&versionId=xxx
    • bucket-name:

      If the bucket does not have a custom domain name associated, use its own name.

      Otherwise, use its associated custom domain name. In /obs.ccc.com/object, for example, obs.ccc.com is a custom bucket domain name.

      If an API operation does not require a bucket to be specified, for example, listing all buckets under an account, omit both the bucket name and object name by using, for example, /.

    • object-name:

      The name of the required object. Follow the object naming rules.

    • sub-resource: Arrange multiple sub-resources in ascending lexicographic order and use ampersands (&) to separate them.

      sub-resource identifiers: CDNNotifyConfiguration, acl, append, attname, backtosource, cors, customdomain, delete, deletebucket, directcoldaccess, encryption, inventory, length, lifecycle, location, logging, metadata, modify, name, notification, partNumber, policy, position, quota, rename, replication, restore, storageClass, storagePolicy, storageinfo, tagging, torrent, truncate, uploadId, uploads, versionId, versioning, versions, website,x-obs-security-token, object-lock, retention

      Response header sub-resources: response-cache-control, response-content-disposition, response-content-encoding, response-content-language, response-content-type, response-expires

      Image processing sub-resources: x-image-process, x-image-save-bucket, x-image-save-object

    Restrictions:

    A sub-resource usually has only one value. Listing multiple values for the same resource key—for example, key=value1&key=value2—is not recommended. If you do so, only the first sub-resource value is used to calculate the signature.

    Value range:

    None

    Default value:

    If this parameter is not specified, / is used.

  4. Click Generate Signed Authorization Header.

In a Pre-signed URL

  1. Open the signature generator.
  2. Enter the AK and SK. For details, see Access Keys.
  3. Configure StringToSign parameters.

    Table 3 Parameter description

    Parameter

    Type

    Mandatory (Yes/No)

    Description

    HTTP-Verb

    String

    Yes

    Explanation:

    The HTTP method used to make a request (also called an operation). For RESTful APIs, HTTP methods include PUT, GET, DELETE, and other operations. Select a method based on the API to be called.

    Restrictions:

    None

    Value range:

    • GET: Requests that a server return a specific resource, for example, obtaining a bucket list or downloading an object.
    • PUT: Requests that a server update a specific resource, for example, creating a bucket or uploading an object.
    • POST: Requests that a server add a resource or perform special operations such as initiating a multipart upload or assembling parts.
    • DELETE: Requests that a server delete a specific resource such as an object.
    • HEAD: Requests that a server return the description of a specific resource, for example, obtaining object metadata.
    • OPTIONS (not supported for signature generators): Requests that a server check whether the user has the permissions to perform an operation on a resource. CORS must be configured for the bucket.

    Default value:

    None

    Content-MD5

    String

    No

    Explanation:

    The base64-encoded 128-bit MD5 digest of the request body based on RFC 1864. This header can be used as a message integrity check to verify that the data was not tampered with in transit.

    Restrictions:

    None

    Value range:

    0–24 characters (0 included, 24 excluded)

    Default value:

    This parameter is left blank by default.

    Content-Type

    String

    No

    Explanation:

    The file type of an object—for example, text/plain—which determines what format and encoding a browser uses to read the file.

    Restrictions:

    None

    Value range:

    See What Is Content-Type (MIME)?

    Default value:

    If this header is not contained in the request, an empty string is used. For details, see Table 4. If this header is contained but not specified, its value is automatically specified based on the file name extension. If the file has no extension, application/octet-stream is used by default.

    Expires

    String

    Yes

    Explanation:

    When a pre-signed URL expires, measured as a UNIX timestamp (how many seconds elapsed since 00:00:00 on January 1, 1970). After the specified time elapses, the URL expires.

    Restrictions:

    None

    Value range:

    Current time<Expires<20 years after the current time. Unit: second.

    NOTE:

    You just need to specify a validity period for the signature in the signature generator, which will automatically produce a Unix timestamp based on the current time. For example, to configure a signature to be valid for 10 minutes, you specify 600 for Expires.

    Default value:

    None

    CanonicalizedHeaders

    String

    No

    Explanation:

    Additional headers defined by OBS that are prefixed with x-obs-, for example, x-obs-date, x-obs-acl, and x-obs-meta-*. For each additional header, separate its name and value by a colon (:). In x-obs-storage-class:STANDARD, for example, x-obs-storage-class is the header name, and STANDARD is the header value.

    Restrictions:

    1. A header name cannot contain non-ASCII or unrecognizable characters, which are also not recommended for header values. If such characters are necessary, they must be encoded or decoded in URL or Base64 on the client side, because the server side does not perform any decoding.
    2. If a header has multiple values, these values need to be written together under their shared header name, separated by commas (,). For example, x-obs-meta-name:name1 and x-obs-meta-name:name2 must be combined into x-obs-meta-name:name1,name2.
    3. You do not need to handle the case conversion or lexicographical sorting of header names, which are automatically handled by the software.

    Value range:

    Determined by the API to be called

    Default value:

    This parameter is left blank by default.

    CanonicalizedResource

    String

    Yes

    Explanation:

    OBS resources specified in an HTTP request. The structure is as follows:

    CanonicalizedResource = /bucket-name/object-name?sub-resource

    For example, if you want to call GetObject to obtain version xxx of object object-test stored in bucket-test and change Content-Type to text/plain, then CanonicalizedResource would be as follows:

    /bucket-test/object-test?response-content-type=text/plain&versionId=xxx
    • bucket-name:

      If the bucket does not have a custom domain name associated, use its own name.

      Otherwise, use its associated custom domain name. In /obs.ccc.com/object, for example, obs.ccc.com is a custom bucket domain name.

      If an API operation does not require a bucket to be specified, for example, listing all buckets under an account, omit both the bucket name and object name by using, for example, /.

    • object-name:

      The name of the required object. Follow the object naming rules.

    • sub-resource: Arrange multiple sub-resources in ascending lexicographic order and use ampersands (&) to separate them.

      sub-resource identifiers: CDNNotifyConfiguration, acl, append, attname, backtosource, cors, customdomain, delete, deletebucket, directcoldaccess, encryption, inventory, length, lifecycle, location, logging, metadata, modify, name, notification, partNumber, policy, position, quota, rename, replication, restore, storageClass, storagePolicy, storageinfo, tagging, torrent, truncate, uploadId, uploads, versionId, versioning, versions, website,x-obs-security-token, object-lock, retention

      Response header sub-resources: response-cache-control, response-content-disposition, response-content-encoding, response-content-language, response-content-type, response-expires

      Image processing sub-resources: x-image-process, x-image-save-bucket, x-image-save-object

    Restrictions:

    A sub-resource usually has only one value. Listing multiple values for the same resource key—for example, key=value1&key=value2—is not recommended. If you do so, only the first sub-resource value is used to calculate the signature.

    Value range:

    None

    Default value:

    If this parameter is not specified, / is used.

  4. Click Generate Signed Query URL.

Addressing a Signature Mismatch

During an OBS API call, if the following error is reported:

Status code: 403 Forbidden

Error code: SignatureDoesNotMatch

Error message: The request signature we calculated does not match the signature you provided. Check your key and signing method.

Handle the problem by referring to Why Don't the Signatures Match?

Parent topic: Authentication